03fc1a6def
- Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
88 lines
2.5 KiB
Diff
88 lines
2.5 KiB
Diff
# HG changeset patch
|
|
# Parent d296e85dc414b8cd1b4b55ad03d8216feb26531a
|
|
Send signals to systemd to prevent various race conditions
|
|
bsc#1048367
|
|
|
|
Index: openssh-8.8p1/configure.ac
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/configure.ac
|
|
+++ openssh-8.8p1/configure.ac
|
|
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
|
|
# AC_SUBST([GSSLIBS])
|
|
AC_SUBST([K5LIBS])
|
|
AC_SUBST([CHANNELLIBS])
|
|
|
|
+# Check whether user wants systemd support
|
|
+SYSTEMD_MSG="no"
|
|
+AC_ARG_WITH(systemd,
|
|
+ [ --with-systemd Enable systemd support],
|
|
+ [ if test "x$withval" != "xno" ; then
|
|
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
|
+ if test "$PKGCONFIG" != "no"; then
|
|
+ AC_MSG_CHECKING([for libsystemd])
|
|
+ if $PKGCONFIG --exists libsystemd; then
|
|
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
|
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
|
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
|
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
|
+ AC_MSG_RESULT([yes])
|
|
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
|
+ SYSTEMD_MSG="yes"
|
|
+ else
|
|
+ AC_MSG_RESULT([no])
|
|
+ fi
|
|
+ fi
|
|
+ fi ]
|
|
+)
|
|
+
|
|
+
|
|
# Looking for programs, paths and files
|
|
|
|
PRIVSEP_PATH=/var/empty
|
|
@@ -5564,6 +5588,7 @@ echo " libldns support
|
|
echo " Solaris process contract support: $SPC_MSG"
|
|
echo " Solaris project support: $SP_MSG"
|
|
echo " Solaris privilege support: $SPP_MSG"
|
|
+echo " systemd support: $SYSTEMD_MSG"
|
|
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
Index: openssh-8.8p1/sshd.c
|
|
===================================================================
|
|
--- openssh-8.8p1.orig/sshd.c
|
|
+++ openssh-8.8p1/sshd.c
|
|
@@ -85,6 +85,10 @@
|
|
#include <prot.h>
|
|
#endif
|
|
|
|
+#ifdef HAVE_SYSTEMD
|
|
+#include <systemd/sd-daemon.h>
|
|
+#endif
|
|
+
|
|
#include "xmalloc.h"
|
|
#include "ssh.h"
|
|
#include "ssh2.h"
|
|
@@ -308,6 +312,10 @@ sighup_handler(int sig)
|
|
static void
|
|
sighup_restart(void)
|
|
{
|
|
+#ifdef HAVE_SYSTEMD
|
|
+ /* Signal systemd that we are reloading */
|
|
+ sd_notify(0, "RELOADING=1");
|
|
+#endif
|
|
logit("Received SIGHUP; restarting.");
|
|
if (options.pid_file != NULL)
|
|
unlink(options.pid_file);
|
|
@@ -2076,6 +2084,11 @@ main(int ac, char **av)
|
|
}
|
|
}
|
|
|
|
+#ifdef HAVE_SYSTEMD
|
|
+ /* Signal systemd that we are ready to accept connections */
|
|
+ sd_notify(0, "READY=1");
|
|
+#endif
|
|
+
|
|
/* Accept a connection and return in a forked child */
|
|
server_accept_loop(&sock_in, &sock_out,
|
|
&newsock, config_s);
|